Apple and Google’s mobile stores have been hosting several popular “private browsing” apps operated by a company connected to a Chinese cyber security firm blacklisted by the US government.
At least five free virtual private networks (VPNs) available through the US tech groups’ app stores have links to Shanghai-listed Qihoo 360, according to a new report by research group Tech Transparency Project, as well as additional findings by the Financial Times.
Qihoo, formally known as 360 Security Technology, was sanctioned by the US in 2020 for alleged Chinese military links. The US Department of Defense later added Qihoo to a list of Chinese military-affiliated companies.
TTP’s report, which also found that 20 of the 100 most downloaded apps on Apple’s app store have Chinese owners, warns that “millions of Americans are inadvertently sending their internet traffic to Chinese companies”.
The revelations come in a climate of rising concerns in the US about Chinese tech companies and the national security risks they may pose.
VPNs allow users to sidestep geographical restrictions on websites and firewalls, offering an encrypted connection to a server through which they can access content that would otherwise be blocked in their country.
But connecting to the network also gives the VPN oversight of the user’s internet activity. China’s national security laws require all companies and individuals to co-operate with state intelligence investigations and to hand over data if asked.
The five Qihoo-linked apps — Turbo VPN, VPN Proxy Master, Thunder VPN, Snap VPN and Signal Secure VPN — were available on Apple and Google’s US stores as of last week. After the FT contacted Apple for comment, Thunder VPN and Snap VPN were pulled from its store.
According to estimates from Sensor Tower, three of the apps in the portfolio have received more than 1mn downloads from the Apple’s App Store and Google’s Play Store combined in 2025.
The portfolio is operated by Singapore-based Innovative Connecting Pte, which is in turn owned by Lemon Seed Technology, based in the Cayman Islands, according to the app listings and Singapore business records.
Qihoo told investors it paid $69.9mn for Lemon Seed and two other companies in January 2020. In May that year, the US added Qihoo to its trade blacklist, known as the entity list. The move cut it off from US technology and potentially endangered its VPN apps, which entirely target global users as they are off limits in China.
By September, Qihoo said it had decided to sell. It told investors it was “rethinking its overseas strategy” and had sold what it called “Project L” for $70.1mn. It did not disclose a buyer.
But the Guangzhou-based subsidiary of Qihoo set up in December 2019 to employ the developers in China running the apps remained part of Qihoo.
In 2021, the subsidiary’s name was changed to Guangzhou Lianchuang Technology. In 2023, it was finally sold to a newly established Beijing firm for Rmb1, according to local business records seen by the FT.
The Beijing firm’s majority owner was named Chen Ningyi. A man with the same name has run Qihoo’s phone security department and is the sole director of Lemon Seed.
When the FT recently visited Guangzhou Lianchuang’s office, two developers said they were working on the foreign VPNs and that their company was tied to Qihoo.
“You could say that we’re part of them and you could say we’re not,” said one of the programmers, without providing a name. “It’s complicated.”
In recent recruitment listings, Guangzhou Lianchuang says its apps operate in more than 220 countries and that it has 10mn daily users. It is currently hiring for a position whose responsibilities include “monitoring and analysing platform data”. The right candidate will be “well-versed in American culture”, the posting says.
Apple and Google both have policies prohibiting VPN apps from using or collecting user data without their consent, with Apple expressly prohibiting them from sharing any data with third parties.
The apps themselves have their own privacy policies, but Matthew Green, a cryptography expert at Johns Hopkins University who has audited the security of individual VPNs, said it was not easy to ensure they were being followed.
“VPNs are a big exception to [Apple’s phone privacy efforts], because they attach themselves to the root network connection of your phone,” with all online activity going through the VPN service, Green said. “It’s not a very binding promise, and not something that is very easy to enforce.”
Apple removed VPN apps — which allowed users to bypass China’s firewall — from its App Store in China in 2017, in a move developers decried as a sign of the company siding with state censorship. Google withdrew from China in 2010 and its Play Store is not available in the country.
Apple said it was in full compliance with the relevant laws and regulations and that it would take action to remove apps that break its strict VPN rules or otherwise make them comply.
It added that its app store rules did not restrict the ownership of apps by citizens or corporations in specific countries.
Google said it was “committed to compliance with applicable sanctions and trade compliance laws”, and that “when we locate accounts that may violate these laws, our related policies or terms of service, we take appropriate action”.
In January, Google announced it was introducing “verified” badges for VPN apps on the Play Store that took extra steps to prioritise safety. Turbo VPN received a “verified” badge.
Guangzhou Lianchuang declined to comment. Qihoo, Innovative Connecting Pte and Chen Ningyi did not respond to requests for comment.
